Keys not trusted

Adrian 'Dagurashibanipal' von Bidder
Tue May 6 07:49:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Tuesday 06 May 2003 02:03, Wolfgang Bornath wrote:
> Hi,
> Being fairly new in this I joined this list and received some messages
> by people who signed their messages. I always imported the keys (using
> the gpg option --auto-key-retrieve) and kmail tells me
> "Message is signed by XY (blahblub) (Key-ID: 0x12345678).
> Signature is valid but the key is not trusted."

This is not a bad thing in itself - it just means that you do not absolutel=
know that you have the person's true public key. It could be just somebody=
posting a public key under their name.

> When I want to send a private mail to somebody like that and I want to
> encrypt the text I see the list of my pubring but all imported keys are
> marked red and I cannot encrypt.
> Only my own public key is marked green and I can use it to send
> encrypted mails to myself (Big Deal!

Hmm. I think kmail has an option to allow you to send encrypted mail to=20
untrusted keys. However, it doesn't make sense since you don't really know=
who you're sending an encrypted mail to. (Of  course, for casual use, you c=
usually trust that a published email address if used for some time on maili=
lists with always the same key does correspond to the real person. And, if=
you look at their public key and there's many signatures on the key from=20
other people on the mailing list or other people you know, it's a good chan=
that the key is actually genuine. It's just not that secure if you assume=20
that there's an actual enemy around trying to steal somebody's identity).

> I signed one of those public keys because I know the person and my sig
> is listed but still the same.

It is good practice to really carefully check that you really have the righ=
key (and, if you don't know the person good enough, of course also that you=
have the right person). Personally, I check the fingerprint with people I=20
know. Just a little paranoia there, but with the web of trust idea you have=
other people relying on you doing this check carefully, and an error affect=
not only you but potentially lots of people.

> Could someone explain or point me into the right direction?

You need to build a web of trust - get your key signed by other GPG/PGP use=
and sign their key. may list some people in your area,=
and there's also a keysigning mailing list (search the archives or google, =
don't have the address handy right now) where you could ask if there's some=
people in your area. Then you also need to assign trust values to the keys =
you assess how much you trust other people to be careful when they sign a k=
=2D by running gpg --update-trustdb.

I'd reccmmend that you read the documentation on, especial=
the chapters about key signing and the Web of Trust:=20; the interesting bits are in chapte=
3 and 4.

=2D- vbi

Available for key signing in Z=FCrich and Basel, Switzerland
                     (what's this? Look at

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)

Signature policy: